Tag Archives: compliance plans

By Shelby Root and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by the Florida Bar in Health Law

Given the advances in information technology, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress as a comprehensive legislative and regulatory scheme to ensure basic protections of patients’ right of privacy regarding their health information. HIPAA, standing alone, does not provide a private right of action. It also preempts contrary state laws. A recent case in the Supreme Court of Connecticut, Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32 (Conn. 2014), addressed these issues. The decision answered the question of whether HIPAA preempts state law claims for negligence and negligent infliction of emotional distress against a healthcare provider who released medical records in the course of complying with a subpoena.

The Facts of Byrne v. Avery Center for Obstetrics and Gynecology, P.C.

During May 2004, Byrne started a personal relationship with Andro Mendoza, which lasted four months. At some point during May 2004 and July 12, 2005, the Avery Center provided Byrne with gynecological and obstetrical care and treatment. During the visit she was given the center’s privacy policy regarding protected health information. The policy, and the law, state that a patient’s health information will not be disclosed without their authorization. After Byrne’s relationship with Mendoza ended she instructed the center not to release her medial records to him.

On May 31, 2005, Mendoza filed paternity actions against Byrne. The Avery Center was served with a subpoena requesting its presence, along with Byrne’s medical records, at Probate Court. The center did not alert Byrne of the subpoena, file a motion to quash or appear in court. Instead, it mailed a copy of Byrne’s medical file to the court.

The Supreme Court of Connecticut’s Holding.

The Supreme Court of Connecticut reasoned that the fact a state law that allows an individual to file a civil action to protect their privacy exist does not mean that the law conflicts with the HIPAA penalty provisions. Therefore, the court concluded that HIPAA does not preempt causes of action when they are based on a state common or statutory law due to a healthcare provider’s breach of confidentiality.

The court found that a number of federal and state courts have ruled that a breach of the HIPAA Privacy Rule may be the basis for a breach of a duty of care in state court negligence actions. A patient’s private right of action does not conflict with or complicate healthcare provider’s compliance with HIPAA. In fact, negligence claims in state courts are furthering HIPAA’s goal of deterring wrongful disclosure of patient’s healthcare information. To view a past blog on a HIPAA violation case in California, click here.

Editors’ Comments on Byrne.

This is the latest of several recent cases where state courts have allowed cases to proceed against health care providers who breached the medical confidentiality of their patients, based in part on the HIPAA Privacy Regulations. In this case, the court correctly held that, although HIPAA does not afford a private right of action by itself, it does establish the duty that is owed by a healthcare provider to its patients to protect their medical information. With this duty being established, the plaintiff can then proceed under a straight negligence tort cause of action.

It is also noteworthy that the HIPAA Privacy Regulations are just one source of “evidence” or standards that can be used to establish th duty owed by medical professionals and theories.

This case also helps to put to rest the spurious defense that HIPAA might “preempt” such a cause of action that is brought under state law. We have seen this theory used by defendants just about any time a federal statute or federal regulation might come into play in a tort law suit. The court correctly determined that this defense theory was not valid.

If anything, HIPAA has better defined and strengthened a duty that has been owed to patients by physicians, nurses, health professionals and health facilities since the time of Hippocrates.

Comments?

What are your thoughts on the Supreme Court of Connecticut’s ruling? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and instiuttions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

About the Authors: Shelby Root is a summer associate at The Health Law Firm. She is a student at Barry University College of Law in Orlando. George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Here’s a scary reminder: There are people attempting to hack into electronic health systems every second of every day. Thankfully, most of these attempts are unsuccessful due to the preventive technologies in place to safeguard such information. However, electronic data will never be 100 percent secure.

Electronic health records promised was intended to be a tool for doctors to share patient data, reduce prescription drug errors, and allow patients convenient access to their records. However, since the transition to digital medical records, there have been concerns from patients about privacy, security and identity theft.

Recently, the Office for Civil Rights (OCR) announced that the agency will ramp up its Health Insurance Portability and Accountability Act (HIPAA) privacy and security audit program in 2015 for covered entities and business associates. These audits will focus on device encryptions, media controls, data transmission security protocols, and staff training on HIPAA policies and procedures.

Now is the time to ensure compliance.

Real World Privacy Breaches Happen All the Time.

On December 2, 2014, OCR and Anchorage Community Mental Health Services, Inc. (ACMHS), settled alleged violations of the HIPAA Security Rule. OCR started an investigation into ACMHS’s compliance with HIPAA after receiving a notification about a breach of unsecured electronic patient information affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. According to the settlement, ACMHS must pay a $150,000 fine and enter into a resolution agreement and corrective action plan (CAP).

In November 2014, Beth Israel Deaconess Medical Center in Massachusetts agreed to a $100,000 settlement after a physician’s laptop was stolen from the hospital. The computer was not issued by the hospital and had not been encrypted in accordance with the hospital’s policies. However, the hospital was aware that the physician used the device. The laptop contained the health information and personal information, including Social Security numbers, of nearly 4,000 individuals. It’s alleged the hospital took three months to notify affected patients about the breach, which is a violation of HIPAA. (HIPAA requires such notifications to take place within 60 days.)

Tips to Protect Yourself and Your Business.

Again, the HIPAA audit program will be resuming after the first of the year. Accordingly, hundreds of covered entities and business associates will be receiving inquiries that could lead to an onsite audit. The audit requirements will be very difficult for organizations that have not planned in advance. Here are three easy-to-implement steps to prepare your practice.

1. Review the latest HIPAA policies and procedures. Make sure your office is meeting the latest privacy and security criteria. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to document your educational efforts. Click here for a link to the latest policies and procedures.

2. Contact your business associates. Ask each of them to provide your practice with an updated Business Associate Agreement and list of all subcontractors they use. For business associates, the 2015 HIPAA audits will focus on risk analysis, risk management and updated policies and procedures for breach notification.

Also, a violation of the HIPAA privacy and security provisions does carry civil and criminal penalties. Anyone who is a health care professional or facility, should be aware of these legal provisions. Click here to read my previous blog.

HIPAA is Not One Size Fits All.

Protecting patient data is not a one-size-fits-all method, meaning that security measures and access to electronic records should not necessarily be uniform. There needs to be processes and check points in place at practices to ensure that the electronic health record system and its many users consistently meet HIPAA policies and procedures. Health care practices must be vigilant that when they integrate other medical practices and facilities into their organization that they extend these measures to incorporate new employees, new sites and locations, and various technologies.

As demonstrated throughout this blog, the risks of non-compliance simply outweigh the costs of sound preparation. If you’d like more information, contact a health law attorney experienced in these matters.

Comments?

Are you worried about the next round of HIPAA audits? Are you concerned about HIPAA violations? How are you ensuring compliance within your practice? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law, and Lance O. Leider, J.D., The Health Law Firm

With the popularity of electronic health records (EHRs), social media and everything in between, the U.S. Department of Health and Human Services (HHS) has released stronger rules and protections governing patient privacy. On January 17, 2013, the HHS announced the omnibus rule to strengthen the privacy and security protection established under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Now, I can’t say that I’ve read the entire document yet, but I can tell you about the major parts of the omnibus rule, and what it means to you.

It is Your Responsibility to Keep Patient Information Safe.

HHS is expanding the government’s jurisdiction over healthcare providers, health plans and other entities that process health insurance claims to include their contractors and subcontractors with whom providers share protected health information. As the industry embraces new care delivery models, including accountable care organizations (ACOs) and integrated delivery systems, data is exchanged between physicians, hospitals and additional providers to improve care and reduce costs. This all has to be done while keeping patient data safe. According to the HHS, some of the largest breaches involve business associates and not the covered entities themselves.

The government is committed to doing more HIPAA compliance audits and collecting more fines. The fines the government collects will help to fund the audit process. Because of this rule, we will see audits of business associates and their subcontractors, not just covered entities.

Under the new rule, penalties have been increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.

The “Wall of Shame” is a Public Display of Breaches.

The changes also improve the Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements by making it clear when breaches must be reported to the Office for Civil Rights (OCR), according to the HHS.

Once reported to the OCR, the breaches are then placed on what is commonly known in the healthcare industry as the “Wall of Shame.” It’s a comprehensive list of privacy breaches each affecting more than 500 people. We’re currently working on a “Wall of Shame” blog, so more on that later.

Patient Demographics and Marketing.

One part of the final rule also sets new regulations for how patient information can be used for marketing and fundraising. It ensures that such information cannot be sold without a patient’s permission. According to an article in Fierce Healthcare, this provision is a huge win for patient advocates and privacy groups who blast hospitals for mining patient data to target affluent or privately insured patients. Hospitals using health and demographic data from patients’ records to target advertising could be in hot water.

Since the HIPAA laws have changed, you need to edit your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. A HIPAA risk assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions.

When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your risk assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? Call an experienced health law attorney to complete a risk assessment of your practice today. To learn more on HIPAA risk assessments, click here to read a blog we wrote.

Take a Closer Look at Your Privacy Practices.

Healthcare providers, now is the time to revise your Notice of Privacy. The final rule will be effective on March 26, 2013. Covered entities and their business associates will have until September 21, 2013, to comply.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

What do you think about the new HIPAA rules? Do you think these updates were necessary? Do you think it will be difficult for health professionals to comply? Please leave any thoughtful comments below.

Authors: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.